CVE-2024-47827

Name of the Vulnerable Software and Affected Versions Argo Workflows version 3.6.0-rc1

Description Due to a race condition in a global variable, the Argo Workflows controller can be made to crash on-command by any user with access to execute a workflow. This issue can be exploited by creating and cleaning up multiple daemon pods in rapid succession, triggering a panic and restart of the controller. A malicious user with access to create workflows can continually submit workflows that do nothing except create and then clean up multiple daemon pods, resulting in a crash-loop that prevents other users' workflows from running.

Recommendations For Argo Workflows version 3.6.0-rc1, update to version 3.6.0-rc2 to resolve the issue. As a temporary workaround, consider restricting access to execute workflows or limiting the creation of daemon pods to minimize the risk of exploitation.